On Nov 28, 2007, at 1:58 PM, Jim Fenton wrote:
It seems that my language wasn't precise enough, so let me take
another shot at it.
It has been noted that when a signing domain "claims responsibility
for the introduction of a message into the mail stream" it is not
actually asserting the validity of any part of the message. This is
relevant to SSP because it has a dependency on whether the Signing
Address (i= address or its default) matches the address in the From:
header field.
I propose to solve that problem by adding language similar to the
following to the SSP draft:
Domains publishing SSP records indicating practices other than
"unknown" MUST ensure the validity [correctness] of the address in
the From: header field for messages to which they apply an
Originator Signature.
In other words, before applying an Originator Signature, make sure
the message isn't spoofed.
Mailing-lists should still be able to sign their outbound messages!
I think you mean "Do not include the localpart within the i= parameter
when the email-address within the From header has not been
authenticated."
What about Sender and Resent-* headers?
Why not say: "Do not include the localpart within the i= parameter
when the email-address has not been authenticated." It does not
really matter which header is contains a matching domain for which the
signature is being added.
This is not defined within the base draft where this added condition
appears to be a significant change.
Are DKIM signing MTAs even able to make these authentication assurances?
Should the i= parameter be forced to exclude localparts when this
email-address authentication assurance can not be made?
Secondly, how would you classify the possibility for spoofing when MUA
keys employ partial g= restrictions?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html